Re: ISMS working group and charter problems

[Eliot Lear <lear () cisco com>]

Daniel,

All solutions will use a different SSH port as part of the standard just
so that firewall administrators have the ability to block.

Eliot


Daniel Senie wrote:
> At 02:00 PM 9/6/2005, Dave Crocker wrote:
>
>
> > Eliot,
> >
> > > I need your help to correct for an impending mistake by the ISMS
> > > working group in the IETF.
> >
> >
> >
> > Your note is clear and logical, and seems quite compelling.
> >
> > Is there any chance of getting a proponent of the working group's
> > decision to post a defense?
> >
> > (By the way, I am awestruck at the potential impact of changing SNMP
> > from UDP-based to TCP-based, given the extensive debates that took
> > place about this when SNMP was originally developed.  Has THIS
> > decision been subject to adequate external review, preferably
> > including a pass by the IAB?)
>
>
> I agree the argument is well laid out, and would be interested in
> hearing the thinking of ISMS in response.
>
> I'm more than a bit concerned, however, when folks start talking about
> solutions that will permit things to pass through firewalls without
> configuration. Those in charge of firewalls are often purposely setting
> policy. If there is a perceived need for a policy that prevents SNMP
> traffic, then it should remain possible for the administrator of that
> network element to make that call. I must say I have some concern with
> overlaying SNMP on SSH, since that precludes the firewall knowing
> whether the traffic is general SSH keyboard traffic or network management.
>
> Let's hear more about the thinking involved.